DESedeWrap - Completing coverage of the Java JCE

Graham Steel
November 29, 2017
DESedeWrap Java JCE

Here at Cryptosense we've recently been working on adding the last few algorithms to our Java Crypto Analyzer to cover 100% of the standard (SunJCE) provider. The last one we treated was the mysterious-sounding DESede Wrap. What exactly does it do, and is it secure?

DESede is a synonym for triple-DES, 3DES or TDEA. The "ede" part comes from the way triple-DES combines three DES operations: it uses the first 56 bits of a key to encrypt the plaintext (using ordinary DES), the second 56 bits to decrypt the result, and the final 56 bits to encrypt the result of that. But DESede Wrap is not so simple. Designed for situations where you want to encrypt one triple-DES key with another, the scheme was first described in RFC 2630, then RFC 3217, and then standardised as AKW1 in a NIST request for review on Key Wrap (it is not included in the current version of the NIST recommendations for Key Wrap). Encrypting or wrapping a key involves encrypting the payload key and a truncated SHA-1 hash of the payload key with a random IV in CBC mode, prepending the IV to the result, reversing it, and then encrypting the whole thing in CBC mode again, but this time with a fixed IV of 0x4adda22c79e82105.

From Rogaway and Shrimpton '07 - Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem

If that sounds a little odd to you, you're not alone. Phil Rogaway and Tom Shrimpton in their 2007 paper on key wrapping described it as "peculiar", going on to say

[It] seems to reflect no single and ascertainable cryptographic goal... Probably the best explanation for the odd structure of AKW1 is that there is no explanation, according to a participant, and as revealed by the S/MIME working group’s mail log, the scheme grew by accretion, with different people having their own goals and ideas, with no underlying design rationale.

On the other hand, they also note that while a security proof seems unobtainable (because the security goal is not clear), they were unable to find attack on the scheme. So far we've never seen an application use DesEDE, but when we do, our Analyzer will give a "low" warning that it's not NIST approved and not considered best practice.

To find out more about the security of Java crypto you can download our whitepaper.